 So I did a video the other day about free radius, open VPN and assigning static IP addresses. And someone had asked, and I thought this was very relevant, is, can you use the TOTP two-factor authentication with open VPN? And I thought about it, and I'm like, OK, but where would that information go and how would you set it up? So I did a little digging, a little research, and got it configured. Now the interesting thing about how this is set up is when you set up the two-factor authentication, it has to go in, there's only one password field, so it has to go in that password field. So I'm going to walk you through one, how to configure it, which is really, really easy. If you've followed my other video on free radius setup, you are three clicks roughly away from getting this to work. So let's go over the changes from my previous video, which I'll leave a link if you haven't watched that video, but what you need to do. I had set the protocol to MSChat, MSChat v2, and you want to set the protocol to PAP. I don't seem to work with these other ones at all. I haven't dug into the behind the scenes details to why, but it doesn't. But because free radius is running on the local server, even though PAP, there are some attacks against it. It's a less secure methodology. But all this is happening on local hosts, and if someone has local host access to your server, the least of your worries is them extrapolating data from here because they have local host access to your server. So I know I get the security risk, but I figured I'll address it right there. So change it to PAP, hit save. Go over here in these settings. And what we want to do in the settings is go down towards the bottom, and this is in the free radius settings, and enable mobile one time password support. So all the other settings here, all the same, nothing changed in terms of all the other free radius settings, but you will want to do that. So when you're in the settings here, just make sure that's turned on. Pretty simple, straightforward. If you don't turn it on, you get a weird, it just doesn't work. We'll just sew it out there. You'll end up with a weird error at your troubleshooting because if you don't turn it on, it's not going to generate them on internal side because there's two pieces. It has to generate these internally and have the numbers matching. This is what facilitates turning that on and just hitting that setting. Then the last thing you need to do is edit and create a user with 2FA. I'm going to edit this user here. OTP method, it says Google Authenticator, but it's technically your standard TOTP authentication. It doesn't have to be Google Authenticator. Matter of fact, I'm going to show the init secret. So if we show the OTP secret here, and don't worry, this is all a demo machine. So there's the init secret. And if you hit generate QR code, you can scan this with Google Authenticator, or I actually prefer Authenticator Plus. But one of the things I'm going to show you is if you're using the secret init code here, and that's the same one here, this is just a script in bash for standard TOTP protocol. It'll generate valid responses in the same way. So whatever authenticator tool you want to use. Now, a couple notes about this. The password field is left blank. And if I try to hit save with putting something in there, I get an error. The password field must be lift empty. So when you're doing TOTP authentication, one time authentication with this, with the TOTP system, you have to have no password for the user. You instead have to have a pin. We're going to go ahead and show the pin. I just said it to be one, two, three, four. Minimum length of four characters. I forget what the maximum length is, but they need to have a pin number. And the way you authenticate the way it actually works is it's going to be pin plus whatever the authentication code is. So for example, at this moment, it's one, two, three, four. And one, eight, eight, six, eight, eight will be the password to get in and authenticated. And I'm using, like I said, authenticator plus on my phone. So we're going to pull those off codes and I'm just going to show you how you log in with this. So it's still good. It's still a rolling password. And if you're not familiar with TOTP, I'll link to, I have a video on the topic of TOTP. And basically every 60 seconds, a new number is generated. If you've worked in corporate worlds, you've seen these and the RSA IDs and things like that. But every 60 seconds, a new code is generated. So no one can really guess your password. Your password is only valid for 60 seconds and it's going to be your pin number. So they have to have a pin and then this. But it's pretty straightforward how this works. I'll actually show you now how do we get into the VPN and how do we make it work. So we'll go ahead and jump into this. And actually show me logging in. So as I said, one, two, three, four is the pin number. So let me just save, make sure it's saved. I'll switch back over to the screen here and we'll open up our free radius open VPN. And I'm going to add what keys I'm typing when we do this. So Tom was the username and the auth password. One, two, three, four. I can generate a code like this, 11457 or I can pull it from my phone. It's the same one. I got my phone right here and it's 11447 on phone. So 11457 and we're in. There we go. It's connected and we got the IP address here. So like I said, this password is the first couple pieces of the password is 1234. The second part is the changing part where it's that rolling number that shows up on here and that's it. That's all you have to do. And like I said, every 60 seconds, let's say up arrow again here. Every 60 seconds, this is changing on us. So it's that simple. Those couple clicks are all you need to do to get this works. Not a real long video, but it does work. You can do it and this is obviously a really good level of protection because now let's think about all the pieces they need to get. They have to have your open VPN information. Do you have your certificate? They have to have your username. They have to have the pin number, which hopefully you don't have written down. Then they have to have whatever's generating. In my case, it's my phone, that other multi-factor piece of information. So this does make for a really secure VPN. Whoops. It really works well. It's really simple. It's a hard one to crack because you're not dealing with anything SMS. If you don't get it, I'll leave a link to my video of how TOTP works. But it's based on time synchronization. So the one thing that is critical to making this work consistently is going to be making sure that your PF SenseBox has the right time on it. And that's about it. Other than that, away you go. You can have rolling numbers and feel confident that no one's going to brute force guess your password. Or this also will prevent users from trying to save their password in there. And like I said, this would work the same way if they were logging in off of a Windows desktop. Their password would be their pin number and then those next digits from the TOTP generation 06 digits it generates. All right, thanks. Thanks for watching. If you like this video, give it a thumbs up. If you want to subscribe to this channel to see more content, hit that Subscribe button and the bell icon. And maybe YouTube will send you a notice when we post. If you want to hire us for a project that you've seen or discussed in this video, head over to launchsystems.com, where we offer both business IT services and consulting services and are excited to help you with whatever project you want to throw at us. Also, if you want to carry on the discussion further, head over to forums.laurancesystems.com, where we can keep the conversation going. And if you want to help the channel out in other ways, we offer affiliate links below, which offer discounts for you and a small cut for us that does help fund this channel. And once again, thanks again for watching this video and see you next time.